In this security release, we have fixed a critical vulnerability in addition to the usual bug fixes, as well as two other general security improvements. Affected are the Shopware versions from 6.1.0 up to and including 6.3.5.0. The following vulnerabilities have been fixed with this security update:
NEXT-13371 - Leak of information via Store-API
NEXT-12824 - Generation of fake documents via public GET-call
NEXT-13247 - Improvement of API token invalidation
The vulnerability from NEXT-13371 could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information.
We recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/download/#shopware-6
For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659
